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Abstract 

Informally, steganography is the process of exchanging a secret message between two communi¬ 
cating entities so that an eavesdropper may not know that a message has been sent. After a review 
of some steganographic systems, we found that these systems have some defects. First, there are 
situations in which some concealment algorithms do not properly hide a secret message. Second, to 
conceal one bit of a secret message, some ask at least five documents and make at least two sampling 
operations, thus increasing their run-times. Considering the different ways to communicate with the 
receiver, we propose two steganographic systems adapted to the email communication whose algo¬ 
rithms are deterministic. To hide one bit of a secret message, our steganographic systems need only 
one document and performs one sampling operation and therefore significantly reduces the run-time. 
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1 Introduction 

Steganography is the art of concealing secret messages in seemingly innocent media. The use of steganog¬ 
raphy is not new, as it dates back to antiquity mmm- But scientific study began when G. J. Simmons 
[I formulated the problem of communication between two prisoners, which can be stated as follows: 
Alice and Bob, both prisoners, held in separated cells and remote from one another wish to establish an 
escape plan without Eve the guardian knowing about it. With Eve allowing them to communicate on 
condition that the exchanged messages are clear and understandable. 

State of art: Two formalisms have been proposed to solve this problem: Theory of Information and 
Theory of Complexity. In the theory of information, C. Cachin [2] provided a steganographic protocol 
based on a probabilistic model. It defines the security of a steganographic protocol by a relative entropy 
between the distribution of covertexts and stegotexts. Here, a protocol is said to be perfectly safe if the 
relative entropy is null. In the theory of complexity approach, N. Hopper, J. Langford and L. Von Ahn 
[3], offered a rigorous formalization of a protocol whose security is based on the difficulty for an adversary 
to distinguish the distribution of covertexts and stegotexts in polynomial time. 

N. Hopper and al. [3] proposed a protocol based on a function called rejection sampling. The aim of 
function is to find in a distribution of covertexts, a covertext which its image by a given pseudo-random 
function is equal to the secret message’s bit that we want to hide. We present now the algorithms 
proposed in [3]. 


Algorithm 1 Rejection sampling [3] 

Procedure RS 

1: Input: Key AT, Target x , iteration count , history h 
2 : * = 0 

3: repeat 

4: C <— S (/l) 

5: Increment i 

6: until i = count or Fki(c) = x 

7: Output: c 
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Algorithm 2 Embedding procedure [3] 

Procedure SI.Embed 

1: Input: Key K 1 hiddentext m £ {0,1}*, history h 
2: Parse m as m\ | \ml\\ • • • | 

3: for i = 1 • • • n do 
4 : Ci = RS(K,mi,\K\,h) 

5 : h = h\ \C{ 

6: end for 

7: Output: C 1 C 2 ■ • • c n 


Algorithm 3 Extracting procedure [5 
Procedure SI.Extract 
1 : Input: Key K, stegotexts C 1 C 2 • • ■ c n 
2: for i = 1 ■ ■ ■ n do 
3: mi = F K (d) 

4: end for 

5: m = mi||m 2 || • • • \ \m n 

6: Output: m 


The concealment algorithm applies the RS procedure for each bit. The extracting algorithm simply 
applies pseudo-random function to each document received. 

This system possesses two defects: firstly, it needs more sampling operations (expensive operation [7]) 
which increases its run-time. The algorithm runs in 0(\K\n). Secondly this system is not safe for a 
covertexts distribution which owns a small min-entropy [B]. 

To correct these flaws, Hopper and al. [4] have proposed another protocol. That protocol is still based 
on a rejection sampling function. But this time, it makes at most two sampling operations and uses a 
error correcting code to increase the reliability of the steganographic system. 


Algorithm 4 rejection sampling [3] 

Procedure RS 

1 : Input: Key K 1 , Synchronized N 1 , Target x, iteration count , history h 
2 : * = 0 

3: repeat 
4: C i — S (h) 

5: Increment i 

6: until i = count or Fki{N1, c) = x 

7: Output: c 


Algorithm 5 Embedding procedure [3] 

Procedure 52. Embed 

1 : Input: Key K , Synchronized N , hiddentext m! £ {0,1}*, history h 
2: Let m = Enc{m') 

3: Parse m as m\ | |?t4| | • • • 11 m„ 

4: for i = 1 • ■ • n do 

5: a = RS{K,N,m h 2,h) 

6: h = h\\Ci 

7: Increment N 

8: end for 

9: Output: C 1 C 2 • • • c n 
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Algorithm 6 Extracting procedure [I, 

Procedure 52. Extract 

1 : Input: Key K , Synchronized N , stegotexts C 1 C 2 ■ ■ ■ c n 

2: for < = 1 • • • n do 
3: rhi = F K (N,d) 

4: Increment N 

5: end for 

6: to = mi||rn 2 || • • • \ \rh n 
7: Output: Dec{fh) 


The use of a error correcting code is not only time expensive but reduces the transmission rate of the 
steganographic system (number of bits of secret message transmitted by covertext sent). Indeed, without 
use of error correcting code the failure probability of concealment of this system varies between 1 /4 and 
1/3. It depends on the covertexts distribution. 

Shannon has shown that for a channel having a probability p of distortion of a symbol, the capacity 
of this channel is equal to 1 — H{p). On such a channel, one can reliably communicate with a corrector 
code with a rate close to 1 — H(p). Taking p = 1/4, the rate goes to 0.2 so covertexts 5 for a single 
secret message bit transmitted, their concealment algorithm runs in 0( i_g( p ) x n ) plus time of error 

correcting code where n is the length of secret message. 

L. Reyzin and S. Russell [B] generalized the protocol proposed in [3] in order to be safe for stegano¬ 
graphic distribution which has a small min-entropy. L. Reyzin and al. proceeded as follows: to hide a 
bit of secret message, it uses t covertexts instead of only one. By doing so, it increases the min-entropy 
of the covertexts distribution, his concealment algorithm runs in 0(\K\ x t x n ). 


Algorithm 7 Rejection sampling [8] 

Procedure RS 

1: Input: Key K 1, Target y , iteration count 1 history h 1 number of covertexts t 
2: i = 0 

3: repeat 

4: h' = h 

5: for j = 1 • • • t do 

6: Xj <— S(h) 

7: h' = h'\\Xj 

8: end for 

9 : X = X1X2 ■ ‘ ■ Xt 

10: Increment i 

11: until i = count or Fki(x) = y 
12 : Output: X 


Algorithm 8 Embedding procedure [6] 

Procedure S3.Embed 

1: Input: Key K , hiddentext m E {0,1}*, history h , number of covertexts t 
2 : Parse m as m\\\m\\\ ■ ■ ■ Wm^ 

3: for i = 1 • ■ • n do 

4: Ci = RS(K , TOj, \K\, h, t) 

5: h = h\ \Ci 

6: end for 

7: Output: C 1 C 2 • • • c n 
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Algorithm 9 Extracting procedure [6 
Procedure S3.Extract 
1 : Input: Key K, stegotexts cic 2 ■ ■ ■ c n 
2: for i = 1 • • • n do 
3: TO* = F K {d) 

4: end for 

5 : m = mi\\m 2 \ \ ■ ■ • \ \m n 

6: Output: to 


N. Hopper et al. [5] proposed another steganographic system that no longer uses error correcting 
code. To hide a single bit, this system makes t copies of the secret message. And for each copy, it seeks 
a covertext in the channel whose image via a pseudo-random function is equal to the secret message by 
taking more than twice from the channel, the concealment and extracting algorithms run in 0(t) for one 
bit. 


Algorithm 10 Embedding procedure [5] 

Procedure S4.Embed 

1: Input: Key K, hiddentext m G {0,1}, history h, Synchronized N 
2: for * = 1 • ■ • t do 
3: di, d! i G- S(h) 

4: if Fk(N + i, di) = m then 

5 : Si — di 

6: else 

7: Si — di 

8: end if 

9: h = h\\si 

10: end for 
11: N = N + t 
12 : Output: Si • • • St 


Algorithm 11 Extracting procedure [5] 

Procedure 54 .Extract 

1: Input: Key K , Synchronized N , stegotexts Si • • • St 
2: C = 0 

3: for * = 1 • • ■ t do 
4: C = C + Fk(N, Si) 

5: Increment N 

6: end for 
7: if C > t/2 then 
8: m = 1 

9 : else 
10: m = 0 

11: end if 
12 : Output: TO 


2 Our contribution 

Hopper et al. [3] proposed a steganographic system whose transmission rate is 1 bit per document sent. 
In order to improve the safety of the system to expand the channel distributions that have small min- 
entropy, they proposed in [J a system that reduces the transmission rate to 1 bit for 5 sent documents. 
Generalizing the system 3] to be applied to channels that have small min-entropy, Reyzin L. and S. 
Russell propose a system which also reduces the transmission rate to 1 bit for t sent documents. 
Hopper et al. [5] proposed a system that has the same transmission rate as [B]. 
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The systems proposed in significantly reduce the transmission rate of one of [3]. These systems 

preserve probabilistic property of the concealment algorithm [3] and ask several sampling operations. The 
run-time of all these concealment algorithms is considerable: generally O(a.n). 

We propose two steganographic systems for the communication by email with concealment algorithms 
are deterministic. To hide a secret message bit, our algorithms only perform one sampling operation and 
transmission rate is 1 bit document sent by reducing their execution time in 0{n). The safety of protocols 
is reduced to that of a pseudo-random function. 

This article is organized as follows: In section 3, we give some definitions that support the solution 
developed in this work. In section 4, we present our steganographic protocols and we conclude in section 
5. 

3 Definitions 

Formatting convention: Let < ai, ci 2 , • • • , a n > an array of elements. Two tables are said to be equal 
if the same index items are equals. 

3.1 Channel 

Let be a set of documents. A channel C is a function that takes as input a history h £ and provides 
a distribution probability 2\. 

The channel formalizes a normal communication between two entities. We define here a normal commu¬ 
nication by email making use of the channel. 

Let A be a set of array of addresses and A a uniform distribution on A. We define an email by a 
triplet ( d,adr,t ) where d £ t the sent date of message and adr £ A an array of addresses containing 
the receivers’ addresses. 

Let h = d\d 2 ■ • ■ d n be the history of already sent messages. A mail (d, adr, t) is said to be normal if d is 
drawn at random from the channel and adr is chosen at random in A. 

3.2 Steganographic system 

Let A be a set of array of addresses and a set of documents. A steganographic protocol or stegano¬ 
graphic system is a pair of algorithms S = (S.Embed, S.Extract): 

• S.Embed takes as input a key K £ {0, l} fc , a string m £ {0,1}* 
access to S. S.Embed(k,m., h) returns a sequence of mails S 1 S 2 • 

• S.Extract takes as input a key K , two sequences of messages S 1 S 2 
returns the secret message m 

Reliability 

S.Embed and S.Extract must satisfy the following relationship: 

Vto : Pr[S.Extract(K, S.Embed(K, to, h)) = m] = 1 


(hiddentext), a history h and has 
■ ■ s n where Si = (di,adr;,A). 

• • • s ni and • • • s n2 . S.Extract 


3.3 Security 

Intuitively we require, according to the security of steganographic system, that no effective adversary G 
can distinguish mails returned by the concealment algorithm from normal mails. We assume that G knows 
distributions T>h and A. We allow the adversary G to have access to S. Embed and h (communication 
history between Alice and Bob), and select a message m. Only the key is not known by G. We model an 
attack against a steganographic system as a game played by a passive adversary as: G has access to the 
oracle M that can be either: 

• ST. The oracle ST has a uniformly chosen key K and responds to requests (m, h) with a mail 
drawn sequence S.Embed{K , m, h ). 

• CT. The CT oracle also has a uniformly chosen key K and respond to requests (m, h) with a 
sequence of normal mails S 1 S 2 • • ■ s n where Si = ( di , adr-j, A), di £ T>hd 1 d 2 ...d i - 1 for 1 < * < n. adri 
is randomly selected in A. n is the number of mails returned by S.Embed(K , m, h). 
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After interaction with its oracle, G sets out a bit which represents his assumption about the type of 
M. He puts 1 to say that M is of type ST and 0 otherwise. We define the advantage of G against a 
steganographic system S for a channel C by: 

Adv| s c (G) = | i P_r jc [G M =^ = 1] - Pt ^[G m = ct = 1]| 

where the probability is taken as the random effect of ST, CT and the choice of G. We define the 
insecurity of S by: 

InSec| S c {t,q,l) = max {Advf s c (G)} 

G&g{t,q,l) 

where Q(t,q,l) is the set of all the adversaries that makes at most q queries to the oracle, totaling at 
most l bits (hiddentexts) and runs at most in t steps. 

3.4 Pseudorandom function 

Let T = {Fk}kg{ o,i} n be a family of functions all with the same domain and co-domain. Let A be a 
probabilistic adversary with access to Fn sampling oracle. The prf-advantage of A to T is: 

Ad v p ; f (A) = I K Pr [A Fn= ' F,f = 1] - Pr[A Fn=/ = 1]| 

where f is a random function of the same domain and co-domain Fk- The insecurity of T is given 
by the following formula: 

InSeCp (t,q) = max {Ad v p ; f (A)} 

AeA(t,q) 

where A(t, q) denotes the set of opponents performing at most t steps and makes at most q queries 
to the oracle. 

4 Our protocols 

We present in this section our steganographic protocols that conceal several bits. The security of these 
protocols is based on the difficulty to solve a cryptographic problem: the break of a pseudo-random 
function. 

Each of these protocols uses two primitives: extractDocument which takes as input a mail and returns 
the document in this email and extractAddresses which takes as input a mail and returns an array of the 
destination email addresses. 

We assume also that Bob owns two addresses: addressl and address2 known by Alice and Eve. 

4.1 Steganographic protocol 1 

4.1.1 Secret steganographic state for one bit 

Alice and Bob share a channel C. T is a pseudo-random function where Fk : {0, l} d x E -> 

Alice and Bob possess a secret key K £ (0, l} fc and are synchronized by a counter N £ {0,1}". Let 
A = {< addressl >, < address2 >} be a set of array of addresses and A an uniform distribution of A. 
The following algorithms allow Alice and Bob to hide and extract a bit of secret message. 


Algorithm 12 Embedding procedure for one bit 
Procedure S.EmbedOneBit 

1: Input: Key K, Hiddentext m £ {0,1}, Synchronized N, history h, Sent date t 
2 : d^S{h) 

3: if (Fk(N, d) = m) then 
4: s = (d, < address 1 >, t) 

5: else 

6: s = (d, < address2 >, t) 

7: end if 
8 : Increment N 
9: h = h\\d 

10: Output: s 
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Algorithm 13 Extracting procedure for one bit 
Procedure S.ExtractOneBit 
1: Input: Key K. Synchronized N, mail s 
2 : d = extractDocument(s) 

3: m = Fk (N, d) 

4: if (■ extractAddresses(s ) = < address2 >) then 
5: m = TO 

6: end if 
7: Increment N 
8: Output: m 


The idea behind this algorithm is simple. Suppose Alice and Bob can communicate using two envelopes 
of different colors (white and brown). Alice, to send a message to Bob, draws a document d from the 
channel, evaluates it by the function Fk{N, •). If the result Fx[N,d) is equal to the bit of message she 
wants to hide, Alice sends the document d in the white envelope otherwise it’s sent in the brown envelope. 
When Bob receives the document d in a brown envelope, he takes the complement of the secret message 
provided by the document otherwise he takes the bit as provided. 

Run-time: The complexity in time is constant: T = 0(1). 

Reliability: Our protocol uses deterministic algorithms, therefore we can easily find all the bits em¬ 
bedded in the mails. 

Insecurity: We show here that the task of an adversary to distinguish, between the distribution of 
mails returned by the concealment algorithm from normal mails, is more difficult than an adversary of a 
pseudo-random function. The proof of the theorem below is similar to the ones of mm- 

First, we will show that the distribution of documents returned by the concealment algorithm is equal to 
that of the channel. Then we also show that when replacing the function Fk{-, •) by a random function, 
the distribution of addresses returned by concealment algorithm is equal to A. And later, we will build an 
opponent against a pseudorandom function that has the same advantage an adversary of a steganographic 
system. 

Lemma 1: The probability of a document received from channel, returned by S.EmbedOneBit(K , m, N, h) 
is equal to the probability of this document in the channel T>h ■ 

Proof: Let di document content in the email back S.EmbedOneBit{K,m,h). The probability that 
di is put in output only depends on its drawn in the channel conditioned by history h. Thus 

Pr [di] = Pr[dj] 

(di ,adri,ti)<—S.EmbedOneBit(K,m,N,h ) T>h 


Lemma 2: When the function Fk(-, •) is replaced by a random function /, for all h € XT the probability 
of address in the mail returned by S.EmbedOneBitfK , to, N, h) is equal to her probability in A. 

Proof: Let m be the bit of secret message. The probability that sends a document to the address 
< adressel >£ A depends on the evaluation of the document and the counter N in the function /. And 
as the counter is incremented every sent document the entrance ( N , d) will always be different for the 
opponent even if a document is sent more than once. 

Pr[< adressel >] = Pr [f(N,d) = to] 

_ 1 
“ 2 


Theorem 1: 

InSecJ^(f, q , q) < InSec p* (t + qO( 1), q) 
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Proof: Let G £ Q(t, q, l ) an adversary for S. We construct an opponent A for a pseudorandom function 
T with same advantage G. The construction algorithm is given below: 

• A Fn works by executing G and intercepting all queries sends his oracle M, 

• To respond these demands, A Fn simulates concealment algorithm: S.EmbedOneBit using the oracle 
Fn instead of Fk and gets a result c; and starts with G with c as response to its request. 

• When G stops with output b, A also puts b output. 

Clearly, where Fn = Fk, A Fn perfectly simulates the oracle ST of G, as follows: 

Pr [ A Fn=FK = 1] = Pr [G m=st = 11 (1) 

K<—{0,l} k 1 

By the previous Lemma 1 and Lemma 2, when Fn is a random function /, A Fn perfectly simulates the 
CT oracle G: 

PrM Fn=/ = 1] = Pr [G m=ct = 1] (2) 

K<-f C 

Subtracting (2) from (1) we obtain: 

Adv Fr/ (A) = Advf s c (G) 

The theorem follows by definition of insecurity. 

4.1.2 Secret steganography state for several bits 

We now present our first protocol that allows steganography to conceal several bits. The algorithms 
below allow Alice and Bob to embed and extract more bits of secret messages. 


Algorithm 14 Embedding procedure for multiple bits 
Procedure S.Embed 

1: Input: Key K , Hiddentext m £ {0,1}*, Synchronized N, history h, Sent date t. 
2 : Parse m as m\\\m\\\ • • • || 

3: for i = 1 • • • n do 

4 : Si = S.EmbedOneBit(K , to*, N, h, t) 

5 : di = extract Document (si) 

6 : h = h\\di 

7: Increment N 

8: t = t A 1 

9: end for 

10: Output: S\S 2 ---S n 


Algorithm 15 Extracting procedure for multiple bits 
Procedure S.Extract 

1: Input: Key K , Synchronized N, Mails addressl S\S 2 • • ■ s ni , Mails address2 SiS 2 ' ' ' s n 2 
2: s = merge the two mails sequences sorted in ascending order of sent date. 

3: for i — 1 • • • n do 

4: TOj = S.ExtractOneBit(K , N, s,;) 

5: Increment N 

6: end for 

7: Output: toi||to 2 || • • • \\m n 


The sequences siS 2 ' ,- s ni and s 1 s 2 - ■ ■ s n2 are the mails contained respectively in the mail boxes 
addressl and address2. 

Run-time: The concealment algorithm runs in 0(n). Concerning the extraction algorithm, note that 
mails received in a mail box are recovered in the sending order. This means that the two sequences 
are sorted by date of mailing. The statement 2 of the extraction algorithm is there to merge these two 
sequences in a sorted sequence. This operation is performed in at most 0(n). Thus, the extraction 
algorithm runs in 0(n) + 0(n) which is equal to O(n). 










4.2 Steganography Protocol 2 

4.2.1 Secret steganography to state for a bit 

The idea of this protocol is to do a broadcast with destination addresses. The order of the addresses in 
the broadcast is very important. This order determines whether the recipient must take the extracted 
secret message bit of the document or its complement. From the two recipient addresses, one can have 
only two types of diffusion address with respect of to the order. So A = {< addressl, address2 >,< 
address2, address! >}. Let A be a uniform distribution on A. We only need to consider mails sent one 
address recipient’s to extract the secret message. 


Algorithm 16 Embedding procedure for one bit 
Procedure S' .EmbedOneBit. 

1: Input: Key K , Hiddentext m £ {0,1}, Synchronized N 1 history h, Sent date t 
2: d^S(h) 

3: if ( Fx(N,d)=m ) then 

4: s = (d, < address 1, address2 >, t) 

5: else 

6: s = (d, < address2, address 1 >, t) 

7: end if 
8: Increment N 
9: h = h\\d 
10: Output: s 


Algorithm 17 Extracting procedure for one bit 
Procedure S'.ExtractOneBit 
1: Input: Key K, Synchronized N, mail s 
2 : d = extractDocument(s) 

3: m = Fk {N, d) 

4: if (extractAddresses(s) = < address2, address! >) then 
5: m = ro 

6 : end if 
7: Increment N 
8 : Output: m 


Run-time: The execution time of this protocol is practically constant for concealment and extraction 
algorithms and depends on the size of the secret message that is obviously 1: T = 0(1). 

Insecurity: The security of this protocol is exactly the same as the one expressed in the theorem 1. 

4.2.2 Secret steganography state for several bits 


Algorithm 18 Embedding procedure for multiple bits 
Procedure S'.EmbedMultiBits 

1: Input: Key K , Hiddentext m £ {0,1 }*,Synchronized N, history h, Sent date t 
2: Parse nn as rnJHm^H • • • || md n 
3: for i — 1 • • • n do 

4: Si = S'.EmbedOneBit.(K, mi, N , h, t) 

5: di = extract Document (si) 

6 : h = h\\di 

7: Increment N 

8: t = t T 1 

9: end for 

10 : Output: SiS 2 ---S n 
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Algorithm 19 Extracting procedure for multiple bits 
Procedure S'.ExtractMultisBits 
l: Input: Key K , Synchronized N , Mails S 1 S 2 ■ • • s n 
2: for i = 1 • • • n do 
3: TO* = S' .ExtractOneBit(K, N , Si) 

4 : Increment N 

5: end for 

6: Output: toi||to 2 || ■ • • ||m„ 


Run-time: T = 0(n). 


5 Conclusion 

In this work, we were interested in the reducing of the time complexity and the number of documents sent 
to hide a secret message. Our protocols use a constant time to hide and extract a bit of secret message 
and run in 0(n) to hide and extract n bits of a secret message. 
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